Was your brokerage account hacked? Here’s how to know

Investors who quickly read their brokerage statements and just glance at the bottom line have reason to look more closely, even at portfolios that are less active: There’s a risk that cyber thieves could hack into your account and wire money to their own accounts, or make unauthorized trades to manipulate security prices.

Fidelity Investments, one of the biggest mutual fund companies, was among the institutions that the hackers who snuck into J.P. Morgan Chase’s servers targeted, the Financial Times reported Thursday , though it says no Fidelity systems or customers were affected. Still, the cost of this crime could potentially be greater than when a fraudster uses your credit card, as card issuers generally don’t hold you liable for more than $50.

Many brokerages say they reimburse clients in case of cybertheft. But there’s no blanket protection when someone steals money by worming into a brokerage account through phishing emails — which mimic those of a legitimate organization and typically point recipients to a look-alike website — or other hack attacks.

“Whether a firm decides to reimburse a customer who loses money because of some cybersecurity breach is a decision that a firm makes,” says Gerri Walsh, president of the Investor Education Foundation at the Financial Industry Regulatory Authority (Finra). “Even as awareness of security is increasing, we’re still seeing these instances of phishing attempts and hacking.”

J.P. Morgan: No fraud seen from data breach

Finra updated its investor alert on online fraud last week, warning that “scams that use spam email or a fake website to lure you into revealing your bank or brokerage account information, passwords or PINs, Social Security number or other types of confidential information — have increased significantly since they were first discovered in 2005.” The industry’s self-regulator says about half of firms have cybersecurity insurance, which can help cover the costs of reimbursing customers.

In May, hackers infected an employee’s files at the brokerage house Benjamin F. Edwards & Co., which has almost 50 branches across the U.S., and siphoned data from the files, according to a New Hampshire breach disclosure notice. The company offered its clients and employees one year of free credit monitoring and said in a statement that it hasn’t heard of or seen any unusual activity on the affected accounts.

A Russian national living in New York, Petr Murmylyuk, was sentenced to 30 months in prison in January for hacking into retail brokerage accounts and making unauthorized trades from online accounts at Scottrade, E*Trade Financial
ETFC, -0.77%
, Fidelity Investments, Charles Schwab
SCHW, -0.88%
and other brokerages. He and his co-conspirators made trades in victim accounts to move the prices of holdings in accounts they had opened using stolen identities, causing about $1 million in losses, according to the Federal Bureau of Investigation. The court ordered Murmylyuk to pay about $500,000 in restitution.

“Fidelity promptly and fully reimbursed the very small handful of customers who were affected” by that hacking incident, says Adam Banker, a spokesman for Fidelity, whose “Customer Protection Guarantee” says the firm reimburses any losses from unauthorized activity that occurred through no fault of the customer. Asked about the recent case, spokespersons for E*Trade and Schwab pointed to similar customer-protection programs that reimburse clients for losses due to unauthorized activity.

A Scottrade spokeswoman said the firm couldn’t comment on the case specifically. Scottrade’s “Online Security Guarantee” states that it is contingent upon a checklist of “necessary precautions,” including that the customer uses “safe online habits.”

The Securities and Exchange Commission and Finra began conducting cybersecurity assessments of brokerages and investment advisers earlier this year, asking firms to explain the threats they’ve faced and how they detect phishing and intruders in their computer networks.

Finra brought about 40 cyber- and data-security cases against brokerages last year, imposing fines in some cases.

Investors are generally entitled to quarterly brokerage statements that describe securities account positions, balances and activities and transactions. While keeping track of the bottom line, investors should also scrutinize the portfolio holdings and daily activity.

“The further it gets away from a 2008, the less details they look at. That’s just human nature,” says Drew Horter, a registered investment adviser and founder of Cincinnati-based Horter Investment Management LLC. “You should have no assumption that everything’s OK when you’re an investor.”

How to protect your account:

•Never log onto your account from a public computer

•Secure your account and devices with strong passwords. This is a basic but critical first step. Use two-factor authentication, which sends a code to your inbox or smartphone as a second step to log into an account. While hackers can sometimes bypass or intercept two-factor authentication, it’s still better to add the second layer of protection.

•Check your account statement monthly to confirm individual assets, trades and transactions. “If a customer sees transactions they didn’t authorize within their account, they need to promptly notify the firm, and notify the firm’s compliance office,” says Lori Schock, director of the SEC’s Office of Investor Education and Advocacy. “You can’t just sit back and see whether or not the stocks will make money or not.” But take caution, reviewing activity daily could induce over-trading in response to daily headlines or market moves, experts say.

•When you log into online accounts, check your recent Web activity log. “Most accounts have the last time that you were logged into it,” Schock says. “If you look at that when you’re online and say, ‘hold it, I didn’t log into this last week,’ I would call the firm and have a conversation.”

Intraday Data provided by SIX Financial Information and subject to terms of use.
Historical and current end-of-day data provided by SIX Financial Information. Intraday data
delayed per exchange requirements. S&P/Dow Jones Indices (SM) from Dow Jones & Company, Inc.
All quotes are in local exchange time. Real time last sale data provided by NASDAQ. More
information on NASDAQ traded symbols and their current financial status. Intraday
data delayed 15 minutes for Nasdaq, and 20 minutes for other exchanges. S&P/Dow Jones Indices (SM)
from Dow Jones & Company, Inc. SEHK intraday data is provided by SIX Financial Information and is
at least 60-minutes delayed. All quotes are in local exchange time.